RSA Reveals Cyber-crime Infrastructure Behind Zeus Trojan

Security researchers at RSA spotlight the cyber-infrastructure that props up malware by providing so-called bulletproof hosting to attackers. Troyak, as it turns out, is just one of five upstream providers surrounding a core of eight bulletproof networks tied to malware such as Zeus.

Researchers in EMC's RSA
security division have uncovered an extensive infrastructure propping up the
attackers behind the Zeus Trojan.
The findings reflect part of the reason the disruption
of Troyak-AS March 9 only caused Zeus traffic to slow, as opposed to stopping
it in its tracks. Troyak is just one part of a larger
cyber-crime infrastructure helping to provide "bulletproof"
hosting to attackers.

"In light of our findings, AS-Troyak appears to be a piece in an
intricate puzzle of networks that are used for malicious purposes," RSA said March 17. "We
suspect that the purpose of these networks is to connect an armada of eight
malicious, bulletproof malware-hosting facilities to the Internet, assuring
their constant online presence."

According to RSA, Troyak is one of five
upstream providers that surround the eight networks. The other four upstream
providers are Taba, Smallshop, Profitlan and Ya. Besides Zeus, the eight
networks host other forms of malware as well as servers for the Gozi Trojan and
drop servers for the RockPhish gang.
"The connectivity status of the networks that relied on AS-Troyak is
unstable, with servers going back online, then off again, as they try to reconnect
via several peering options," RSA
reported. Troyak meanwhile has sought to redirect its Web traffic through other
upstream providers. As of March 16, however, most of the malware servers that
used Troyak were functional and using both Troyak and other connections within
the cyber-crime
ecosystem RSA analyzed.
"The way these malicious networks attain bulletproof connectivity is
through the intricacy of their connection schemes," RSA
explained. "The bulletproof network that harbors the malware itself
connects to a legitimate ISP via 'Upstream Providers' (transit autonomous
systems), which mask its true location. No actual malware is present on the
'masking' networks. The particular cyber-crime infrastructure we analyzed uses five
upstream providers to hide its connections to the Internet."
RSA stressed, "Each upstream
provider is able to connect to multiple legitimate ISPs; those remain unaware
of the malware-hosting servers that indirectly exploit their services."
Sean Brady, manager of the Identity Protection and Verification Group at RSA,
told eWEEK that it is atypical for organized
crime to reach this level of extensive operating infrastructure because of
the difficulty involved in a criminal operation building itself up to this
scale.
"What has become typical, though, are fraudsters, not necessarily even
directly affiliated with the organized crime groups, [who] recognize the value
of the services provided and pay money to use the infrastructure for their own
fraudulent purposes," Brady said. "It is analogous to legitimate
Internet usage-there are not that many large-scale ISPs in the world given
their cost of infrastructure, but there are millions of people willing to pay
the ISPs to use their services."